ninjamiefandomcom-20200214-history
Security Profiles
Objects -> Security Profile -> ___ *Security PROFILE look for malicious use of allowed applications *Secuirty POLICY define which applications are allowed Antivirus = anti virus scans *Detects infected files being transferred with the application. Anti-Spyware = tries to catch spyware (backdoors, keyloggers, etc) *Detects spyware downloads and traffic from already installed spyware. Vulnerability Protection = looks at flaws like exploits *Detects attempts to exploit known software vulnerabilities. URL Filtering = requires a license *Classfiies and controls web browsing based on content. File Blocking = will block file types *Tracks and blocks file uploads and downloads based upon file type and application. Data Filtering = will look at security numbers *Looks for specific patterns of data in the traffic. *Profiles are applied to policies that ALLOW traffic only. Unable to apply profile to DENY traffic since no further processing is needed if the packets are dropped. 'Anti-Virus '''Security Profile Inspection is done through stream-based analysis, which means files are not cached or stored in their entirety on the firewall, but analyzed in real-time as they pass through the firewall. Default profile: *HTTP = Block *FTP = Block *SMTP = Alert *IMAP = Alert *POP3 = Alert *SMB = Block SMTP, POP3 and IMAP have the default action of ALERT because in most cases there is already a dedicated Anti-Virus gateway solution in place for these protocols. Specifically for POP3 and IMAP, it is not possible to clean files or properly terminate an infected file-transfer in-stream without affecting the entire session. *Customized profiles can be created and allow you to customize the action for each protocol. * POP3, IMAP, and SMTP are 'store-and-forward' protocols; if a intermediate device drops the packets, they are designed to continually resent until the data is ultimately delivered. In the anti-virus and anti-spyware security profiles, you can specify actions based upon the 6 min ''decoders in the system. A decoder '''is a software process on the firewall that interprets the protocol. Default action is to block any detected virus unless the protocol is POP3, IMAP, or SMTP, then the default is to alert. '''Alert = no traffic is blocked, generates an entry in threat log. Packet Capture '= will Alert and packet capture of the portion of the file that triggered the virus signature. Used to verify a virus and rule out false positive. ''WildFire Action Column - defines the action taken if the infected file is matched against the threat list maintained by the WildFire subscription feature. '''Anti-Spyware Security Profile The PAN comes with 2 prefined profiles that cannot be modified or deleted: *'Default' = This is applied to all client and server critical, high, and medium severity spyware events. This profile is typically used for proof of concept (POC) or first phase deployments. *'Strict' = The profile applies the'' block'' response to all client and server critical, high and medium severity spyware events and uses the default 'action for low and informational spyware events. Strict profiles are used for out of the box protection with recommended block of critical, high, and medium threats. Customized profiles can be used to minimize anti-spyware inspection for traffic between trusted security zones, and to maximize the inspectio of traffic received from untrusted zones, such as the internet, as well as the traffic sent to highly sensitive destinations, such as server farms. '[ RULES tab ]' *"''Block" or "Alert" will have log files. "Allow" will not log. '''[ EXCEPTIONS '''tab ]' *This tab allows you to change the response to a specific signature. *Exceptions are made of individual signatures and can be restricted to specific IP addresses. Must be entered as unicast address. *Packet Captures must be requested per signature basis. They can be set for both active and exempted signatures. '[ DNS SIGNATURES tab ]' *These settings provide additional method of identifying infected hosts on a network. *Detect specific DNS lookups for host names that have been assocated with malware. *Hosts that perform DNS queries for malware domains will appear in the botnet report. *DNS signatures are downloaded as part of the antivirus updates. *DNS-based signature scanning only works if the DNS requests are visible to the firewall. 'Vulnerability Protection''' Security Profile *Provides IPS functionality **''Intrustion Protection System'' (IPS) = provides a second layer of traffic filtering. *Detects attempts to use known exploits on the network *Vulnerability Protection feature detects and prevents network-borne attacks against vulnerabilities on client and server systems. Vulnerabilities can be system and service specific or generic and are not bound to a specific port, but to a protocol or application. The PAN comes with 2 prefined profiles that cannot be modified or deleted: *'Default' = The profile applies the default action to all client and server critical, high, and medium severity vulnerability protection events. This profile is typically used for proof of concept (POC) or first phase deployments. *'Strict' = The profile applies the block 'response to all client and server critical, high, and medium severity vulnerability protection events and uses the '''default '''action for low and informational vulnerability protection events. Strict profiles are used for out of the box protection with recommened block of critical, high, and medium threats. '[ RULE '''tab ]' *Focus on specific threats, Common Vulnerabilities and Exposures (CVEs) or vendors. *Look for serve, client or comination threats. *Tailor actions based on category and severity Actions for traffic that match a vulnerability protection profile: *'Allow = Threats are allowed to pass with no logging. *'Alert = '''Threats are allowed to pass and are logged in the threat log. *'Block = 'Threats are blocked by the firewall and logged in the threat logs. '[ EXCEPTIONS '''tab ]' *Allows you to change a response for a specific signature. *Exceptions are made of individual signatures and can be restricted to specific IP addresses. Must be entered as unicast address. *'IP Address Exception''' column will be checked against both the source and destination addresses. 'URL Filtering' Security Profile *A policy can include specifications of a URL filtering profile that blocks access to specific web sites and web site categories, or generates an alter when the specified web sites are accessed. (URL filtering license is requred). *Able to define a block list of web sites that are always blocked (or generate alerts) and an allow list of web sites that are always allowed. *PAN-OS supports 2 different URL filtering databases: BrightCloud and PAN-DB. Able to define customer URL categories to customize the behavior of the URL filtering profiles. 1. URL Cateogory ''' *can be used to match conditions for security, QoS, decryption, and Captive Portal policies. *Only matches pre-defined or custom categories. *The traffic behavior is controlled by the Policy. *Logged as part of the entry for a policy in the Traffic Log. '''2. URL Filtering Security Profile *URL filtering feature can be used by placing categories directly in policies or attaching a URL Filtering profile to a security rule. URL filtering only affects HTTP and HTTPS traffic *Its only applied to traffic allowed by security policies. *Can match pre-defined or customer categories, as well as block/allow lists. *Actions can be configured differently for individual categories or URLs. *Logged in the URL filtering Log URL Lookup and Matching When a security Policy triggers a URL Profile, the URL is checked against and will stop when a match is found: #Block list #Allow list #Custom Categories #URL categories (PAN-DB or BrightCloud) Explicit Block and Allow list take precedence over URL categories. (leave out the "http://" for these entries) A Token is a string of characters that beings or ends with a valid separator character (. / ? & = ; +). Examples: *.yahoo.com (Tokens are " * ", "yahoo" and "com") Entires in the block list are exact match and are case-insensitive Example: if you want to block an entire domain, you should include both *''*.paloaltonetworks.com'' AND ''paloaltonetworks.com ''